This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.

Size: px

Start display at page:

Download "This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore."

Todd Underwood
5 years ago
Views:

1 This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title On multidimensional linear cryptanalysis Author(s) Citation Nguyen, Phuong Ha; Wei, Lei; Wang, Huaxiong; Ling, San Nguyen, P. H., Wei, L., Wang, H., & Ling, S. (2010). On multidimensional linear cryptanalysis. Lecture Notes in Computer Science, 6168, Date 2010 URL Rights 2010 Springer-Verlag Berlin Heidelberg. This is the author created version of a work that has been peer reviewed and accepted for publication by Lecture Notes in Computer Science, Springer-Verlag Berlin Heidelberg. It incorporates referee s comments but changes resulting from the publishing process, such as copyediting, structural formatting, may not be reflected in this document. The published version is available at:

2 On Multidimensional Linear Cryptanalysis Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling Division of Mathematical Sciences, School of Physical and Mathematical Sciences Nanyang Technological University, Singapore {ng0007ha, weil0005, hxwang, Abstract. Matsui s Algorithms 1 and 2 with multiple approximations have been studied over 16 years. In CRYPTO 04, Biryukov et al. proposed a formal framework based on m statistically independent approximations. Started by Hermelin et al. in ACISP 08, a different approach was taken by studying m-dimensional combined approximations from m base approximations. Known as multidimensional linear cryptanalysis, the requirement for statistical independence is relaxed. In this paper we study the multidimensional Alg. 1 of Hermelin et al.. We derive the formula for N, the number of samples required for the attack and we improve the algorithm by reducing time complexity of the distillation phase from 2 m N to 2m2 m + mn, and that of the analysis phase from 2 2m to 3m2 m. We apply the results on 4- and 9-round Serpent and show that Hermelin et al. actually provided a formal model for the hypothesis of Biryukov et al. in practice, and this model is now much more practical with our improvements. 1 Introduction Linear cryptanalysis [12] was formally introduced in 1993 by Matsui, who suggested 2 algorithms to exploit linear approximations of block ciphers. Consider a block cipher E k ( ) with a linear approximation: g = ux vy ck and P r(g = 0) = 1/2 + ɛ, where u, v, and c are the selection patterns for the plaintext, ciphertext and the extended key, respectively, X is the plaintext and Y is ciphertext, K is extended key of secret key k, and ɛ is the bias of linear approximation. Algorithm 1 in [12] is a known-plaintext attack and it requires a pool of sufficiently many random plaintext-ciphertext pairs. If successful, the parity ck can be recovered and N the number of random samples as (X, Y ) pairs needed is proportional to c/ɛ 2, where c is a constant that depends on the success probability. In 1994 Matsui provided the first experimental cryptanalysis of DES [13], using two linear approximations derived from the best 14-round expression. From then researchers started the quest for better attacks by using multiple linear approximations to improve the basic form of Alg. 1 and 2 in [12]. In the same year, Kaliski and Robshaw [11] combined m linear approximations

3 2 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling g 1,..., g m, with biases of ɛ 1,..., ɛ m respectively. The linear approximations are required to have the same selection pattern c for the extended key. N can achieve an m-fold reduction while keeping the same success rate, with N proportional to 1/ m i=1 ɛ2 i. Due to the restriction on the key mask, it recovers at most 1-bit parity c K. Intuitively speaking, asking 1 parity bit from m approximations simultaneously would require much fewer samples than from a single approximation, under the same success rate. In 2004 Biryukov et al. [2] show a statistical framework for using multiple approximations in both Alg 1 and Alg 2. In their generalization to Alg. 1, m statistically independent linear approximation g 1,..., g m are used, with biases of ɛ 1,..., ɛ m respectively. The attack is able to recover at most m parity bits if successful, with N proportional to 1/ m i=1 ɛ2 i. In practice, m linearly dependent masks are used with m > m. It is expected that the performance in this case is strictly better than that of m independent approximations, although no explicit estimation of N was given. They confirmed the reduction in data complexity by using m = 86 approximations for 8-round DES, the 86 approximations only give 10 linearly independent key masks. In 2007, this reduction in N by using multiple approximations is further confirmed by experiments of Collard et al. [7], with m = 64 for 4-round Serpent from 10 linearly independent text masks. Collard et al. also observed that the gain increases 8 times faster with 64 approximations than with 10 approximations. Both [2] and [7] did not analyze why such an advantage is present. Some intuitive guesses were given by Collard et al. [7], referring to linear hulls, error correcting codes, etc. They also noticed that in practice, m and m cannot be too large due to computation limits. Significant reduction in data complexity can be achieved by the methods in [2]. However, in practice, it is generally not easy to verify whether the m approximations are statistically independent. Instead, linear independence is used as a criterion for the m approximations, in both [2] and [7]. In the meantime, it is also helpful to doubt whether there is a better attack if the m approximations are linearly independent in text masks but statistically correlated, as shown by the experimental results in [2] and [7]. Notably, these experiments work with linearly dependent text masks. Hermelin et al. [10] introduced a multidimensional framework, in which Matsui s Alg. 1 is generalized to m-dimensions to exploit correlations between the m approximations, to achieve a higher capacity. Experiments on 4-round Serpent have shown that this method reduces N compared with a similar attack in [7]. In this framework, the requirement for statistical independence of approximations is relieved. Instead, the approximations only need to have linearly independent text masks. This resembles the experiment scenarios in [2] and [7]. In fact, in [10] it is shown clearly that the statistical independence assumption of [2] does not hold. In [10], the formula for N is derived as the amount of data needed to tackle the Z -ary hypothesis testing problem, where Z is the set of key classes. It does not reflect how it depends on the approximations g 1,, g m and it is not

4 On Multidimensional Linear Cryptanalysis 3 efficiently computable. The reduction in N compared with [2] was observed empirically, rather than theoretically. Our first contribution is the provision with proof of a much simpler theoretical formula for the number of samples required, to complement this theoretical framework in [10]. This formula gives us insights on how much can be achieved with multidimensional linear cryptanalysis. We can now easily estimate N given g 1,..., g m, hence the attack complexity. The simplicity of the formula eases cryptanalysis greatly since to compute N with the original formula in [10] (for N key ) requires a lot of computation when m is large. A major obstacle for the method in [10] to be useful is that the number of approximations m is much limited due to complexity bottlenecks in the distillation phase (2 m N) and the analysis phase (2 2m ) of the online stage. This limitation hinders the application of multidimensional Alg. 1 in practice when more approximations have to be used. Our second contribution is that we present a method (Method-A) for the distillation phase to speed up the computation for distributions to 2m2 m + mn, using ideas from [6], and we develop Method-B to the analysis phase which reduces the complexity to 3m2 m. We arrive at an improved algorithm for the multidimensional generalization of Matsui s Alg. 1 in [10], better than previous generalizations to a number of degrees. Most importantly, the algorithm is practical, with strong support from theoretical work in [10]. We show applications to 4- and 9-round Serpent as examples. The paper is organized as follows. Section 2 contains notations and some basic notions. Section 3 is about the statistical model and algorithm in [10]. We show briefly how the distribution of an m-dimensional vectorial Boolean function g can be constructed from m given approximations g 1,..., g m as Boolean functions. Section 4 contains our contributions. After the proof for N, we analyze the algorithm of [10] step-wise, to introduce our improvements, followed by the descriptions for each improvement. Section 5 describes the improved algorithm in detail. Section 6 gives the application results on Serpent and comparisons with previous cryptanalysis results [1] and [4]. In Section 7, we conclude and discuss the implication of our work. 2 Notations and Background We follow the notations used in [10]. Denote the space of m-dimensional binary vectors by V m or V m := GF (2) m. The inner product of 2 vectors a = (a 1,..., a m ), b = (b 1,..., b m ), a, b V m is ab = m i=1 a ib i. The function f : V m V 1 is called a Boolean function and f : V n V m, f = (f 1,..., f m ) is called a vectorial Boolean function, where each f i is a Boolean function for all i = 1,, m. Let X be a random variable (r.v.) in V m. Let p η = P r(x = η), with η V m. Then p = (p 0, p 1,..., p 2m 1) is the probability distribution (p.d) of r.v. X. If we associate with a vectorial Boolean function f : V n V m an r.v. Y := f(x), where X is uniformly distributed in V m, then the p.d. of Y is

5 4 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling p(f) := (p 0 (f),..., p 2m 1(f)) where p η (f) = P r(f(x) = η), for all η V m. Two Boolean functions f and g are called statistically independent if their associated r.v. s f(x) and g(y ) are statistically independent, with X, Y uniform in V n. The correlation between a binary r.v. X and 0 is ρ = P r(x = 0) P r(x = 1) = 2ɛ, where ɛ is the bias of the r.v. X. Let g : V m V 1 be a Boolean function. Its correlation with 0 is defined as ρ = 2 m (#{η V m g(η) = 0}) #{η V m g(η) = 1}) = 2P r(g(x) = 0) 1, where X is uniformly distributed in V m. Definition 1. Let p = (p 0,..., p M ) and q = (q 0,..., q M ) be two p.d. s. Then their (mutual) capacity is C(p q) = M (p η q η ) 2 η=0 q η. (1) Definition 2. The relative entropy or the Kullback-Leibler (KL) distance between two distributions p = (p 0,..., p M ) and q = (q 0,..., q M ) is defined as D(q p) = M η=0 q η log q η p η. In [6], Collard et al. presented the following theorems concerning circulant matrices. Theorem 1. A circulant S of level k and type (m, n, o,..., r) is diagonalizable by the unitary matrix F = F m F n F o F r S = F diag(λ)f, where λ is the vector of eigenvalues of S, the symbol is the Kronecker product and F n is the Fourier matrix of size n n defined by: F n (i, j) = 1 n ω ij, (0 i, j n 1) with ω = e 2π 1 n. Theorem 2. The eigenvalues vector λ of a circulant matrix S of level k and type (m, n, o,..., r) can be computed with the following matrix-vector product: λ = FS(:, 1) mno... r where S(:, 1) means we take the first column of S.

6 On Multidimensional Linear Cryptanalysis 5 We recall important results on the Fast Fourier Transform [8], Fast Walsh- Hadamard Transform [14] and Parseval s theorem. Given an M-dimensional vector E = (E 1,..., E M ) and a matrix F M M, we have M-dimensional vector D = FE T, where E T is the transpose of E and F is a Hadamard matrix if F(i, j) = ( 1) ij, for all i, j = 0,, M 1. If matrix F is either Fourier or Hadamard, vector D can be computed with complexity O(M log M) instead of O(M 2 ) by Fast Fourier Transform or Fast Walsh-Hadamard Transform, respectively. We recall basic facts due to Parseval: Let f : V m R where R is the real field, and a V m. We define f 1 (a) = b V m ( 1) ab f(b), A = a V m f 2 (a) and A 1 = a V m f 2 1 (a). Then 2 m A = A 1 or 2 m ( f 2 (a)) = f1 2 (a). (2) a V m a V m 3 Statistical Model and Algorithm of Hermelin et al. 3.1 Constructing Multidimensional Probability Distribution Let f : V l V n be a vectorial Boolean function and binary vectors w i V n, u i V l, i = 1,..., m be selection patterns such that pairs of input and output masks (u i, w i ) are linearly independent. Define the functions g i as g i (η) = w i f(η) u i η, η V l, i = 1,, m and g i has correlation ρ i, i = 1,, m. Then ρ 1,..., ρ m are called the basecorrelations, and g 1,..., g m are the base approximations of f. Let g = (g 1,..., g m ) be an m-dimensional vectorial Boolean function, and matrices W = (w 1,..., w m ) and U = (u 1,..., u m ) contain the output and input masks for each of the g i, then we find the p.d. p = (p 0,..., p 2m 1) of g(η) = W f(η) Uη. Lemma 1. [10] Let g = (g 1,..., g m ) : V l V m be a vectorial Boolean function and p = (p 0,..., p 2 m 1) its p.d. Then 2 l p η = 2 m ( 1) a(g(b) η). b V l Define a V m ρ(a) = 2 l b V l ( 1) ag(b) = P r(ag(x) = 0) P r(ag(x) = 1), where X is an r.v. uniformly distributed in V l.

7 6 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling Corollary 1. Let g : V n V m be a Boolean function with p.d. p and correlations ρ(a) of the combined approximations ag, for all a V m. Then for η V m, p η = 2 m ( 1) aη ρ(a). (3) a V m 3.2 Multidimensional Generalization of Matsui s Alg. 1 We describe the core idea of the multidimensional algorithm 1 in [10]. Let there be m linear approximations g i := u i X v i Y c i K, (i = 1,, m). Their corresponding correlations are ρ i := 2P r(u i X v i Y c i K = 0) 1 where the masks c i for the extended key K are linearly independent. In addition, the pairs of input and output masks (u i, v i ) are linearly independent. Define g := (g 1,..., g m ) with p.d. p, and h := (h 1,..., h m ), where h i = u i X v i Y. We call h an experimental function, as we use two of its probability distributions, namely, the theoretical p.d. q and the empirical p.d. ˆq. In the attack, q is approximated by ˆq, which is computed from N samples. Let w i = c i K, i = 1,, m be the parity bits of the extended key K. As the c i s are linearly independent, w = (w 1,..., w m ) defines a key class of K. Thus we have g = h w. Hence, the p.d. q of experimental function h is a permutation of p. Since {c i } are linearly independent, with the 2 m possible parity vectors w, the key space K can be classified into 2 m classes. Let w be the correct key class, as p w is the permutation of p corresponding to w, we have q = p w. By [3], given w, the relationship between p w and p is p w η = ( 1) a(η w) ρ(a) = p η w, η V m. (4) a V m The KL distance is then used to determine the correct key class w, by constructing a hypothesis testing problem of finding the closest distribution p w with ˆq among the 2 m possibilities of w. In [10] the following theorem is described. Theorem 3. Let us have an Z -ary hypothesis problem, with Z hypotheses H w stating that the data originates from p w, where w Z corresponds to the key. The hypothesis for which the Kullblack-Leibler distance D(ˆq p w ) is smallest is selected. Given some success probability P sc, the lower bound N for the amount of data required to give the smallest value of the statistic when the correct key is used, is given by 4 log N 2 Z min w 0 C(p 0, p w ). (5) Now we analyze the multidimensional algorithm 1 step by step.

8 On Multidimensional Linear Cryptanalysis 7 Algorithm of Hermelin et al. [10] Input of offline stage: m linear approximations g i, i = 1,, m with correlation ρ i and p, the p.d. of g. Offline: Compute N based on (5) and p. Input of online stage: N pairs of (X, Y ), with N computed in offline stage. Online: 1 Distillation phase: Compute empirical p.d. ˆq of h using 2 m counters. 2 Analysis phase: Construct matrix T 2m 2 m, with cell T(w, η) = log( ˆqη p ), for all w, η V w m. η Compute D(ˆq p w ), for all w V m, D = Tˆq T = (D(ˆq p 0 ),..., D(ˆq p 2m 1 )). (6) 3 Sorting phase: Sort the list of w with D(ˆq p w ) in ascending order. 4 Searching phase: Choose the correct key class as the first element in the sorted list. Note: in Step 2 the matrix T does not need to be stored. Storing a single row is sufficient. Other rows can be obtained as (4) by permuting this row when it s required for computation. 4 The Improvements 4.1 A Formula for N, the Number of Samples Required Given g = (g 1,..., g m ) and ρ(a), for all a V m, by (5), the capacity of the attack of [10] is min w 0 C(p 0 p w ). Let p = p 0 and q = p w, we derive the following lemma. The proof is given in Appendix A. Lemma 2. C(p q) 2 a V m\{0} ρ 2 (a). Combining with (5) we have the following theorem. Theorem 4. The estimation for N in the attack of [10] with m linear approximations g i, (i = 1,..., m), where the {c i } are linearly independent and (u i, v i ) are linearly independent, is given by m N 2 a V m\{0} ɛ2 (a). (7) With the new formula for N, we can now compare the multidimensional Alg. 1 with previous attacks on their data complexities, as shown in Table 4.1. The last row contains our formula for N. We can see that the framework provided by Hermelin et al. in [10] is able to exploit all the combined approximations systematically, as compared to Biryukov et al. in [2].

9 8 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling N Framework Comments 1/ɛ 2 [12] Matsui 1/ P m i=1 ɛ2 i [11] Kaliski and Robshaw 1/ P m i=1 ɛ2 i [2] Biryukov et al. m/2 P a 0 ɛ2 (a) [10] Hermelin et al. See (7) Table 1. Comparisons of data complexities with different attack frameworks 4.2 Analysis of the Multidimensional Alg. 1 in [10] We analyze the multidimensional Alg. 1 of Hermelin et al. step by step and introduce our improvements. Identifying the Bottleneck Complexity Analysis Offline: An estimation of N can be computed from (5), which is slow to the best of our knowledge, no obvious algorithm is much faster than 3m2 m steps. Online: 1 Distillation Phase: Using 2 m counters to compute ˆq from N samples. The complexity is 2 m N. 2 Analysis Phase: Computing D has a time complexity of O(2 2m ). If we increase m, the number of base approximations g 1,..., g m, we may expect N to decrease [10], but the complexities in the distillation and the analysis phases suffer from exponential increase. The actual number of approximations that can be used is hence limited by the computation resources allowed. It is a trade-off. Improving the Bottleneck To compute the KL distance between a p.d. ˆq and p w, we observe that after expanding D(ˆq p w ) = η V m ˆq η log(ˆq η /p w η ) = η V m ˆq η log ˆq η η V m ˆq η log p w η, the term η V m ˆq η log ˆq η is a constant and hence does not affect the ranking of key classes. We can define D(ˆq p w ) = η V m ˆq η log p w η and use D( ) to rank the key class candidates. The list of w in the sorting phase of the online stage is now sorted by the values of D(ˆq p w ) in descending order. A new matrix T is constructed as T(w, η) = log(p w η ), w, η V m. (8) In Section 4.3 we show that matrix T is a circulant matrix. By Theorem 1 the Fast Fourier Transform algorithm can be applied for fast computation. For T, only the first column ( T(w, 0) = log(p w 0 ) = log(p w ), for all w V m ) needs to be stored. The memory requirement is 2 m. T is used for computing D = Tˆq T. Our Improvements: Offline: We present a formula for N based on p, without using (5). Online:

10 On Multidimensional Linear Cryptanalysis 9 Step 1: We present Method-A to calculate ˆq from N samples given. The complexity is 2m2 m + mn. Step 2: We present Method-B to compute D. The complexity is 3m2 m. 4.3 Fast Computation of Empirical Distribution Method A Method A is for computing the empirical distribution ˆq of the experimental function h = (h 1,..., h m ) from N samples (X, Y). First, the correlations of the combined linear approximations bh, for all b V m, ˆγ(b) = P r(bh(x, Y) = 0) P r(bh(x, Y) = 1), are calculated. Then the p.d. ˆq is computed from ˆγ(b) by (3). We show how to compute ˆγ(b), for all b = (b 1,..., b m ) V m from N samples: m N j=1 ˆγ(b) = ˆγ( b i h i ) = ( 1)L m i=1 bihi(xj,yj) N i=1 = L m ( 1) T i=1 biai a N = ( 1) ba T a N, a V m a V m where a = (a 1,..., a m ) and T a = #{(X j, Y j ), j = 1,..., N : h i (X j, Y j ) = a i }. Let S 2m 2 m be the matrix defined by S(b, a) = ( 1) ba, and let E = ( T0 N,..., T 2 m 1 N ), and ˆγ = (ˆγ 0,..., ˆγ 2 m 1), then ˆγ(b) = S(b, a)e a, b V m, or ˆγ = SE T. a V m Since S is a Hadamard matrix, we can apply the Fast Walsh-Hadamard Transform algorithm for computing ˆγ(b) for all b V m with complexity m2 m, and the storage is O(2 m ). The complexity for computing the counter vector T = (T 1,..., T 2 m) is mn, by evaluating the m base approximations against each of the N samples. Construct the vector R = (R 0,..., R 2m 1) with R b = 2 mˆγ(b), for all b V m. From (3) we have ˆq η = b V m ( 1) ηb R b, η V m, or ˆq = SR T. The Fast Hadamard Transform is used again to compute ˆq. Hence, the total complexity is mn + 2m2 m for computing ˆq from N samples. To Summarize Method A Step 1: Construct the vector E from N samples (X, Y ). Step 2: Compute ˆγ = SE T, then construct the vector R. Step 3: Compute ˆq = SR T.

11 10 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling 4.4 Fast Computation of Kullback-Leibler Distance Method B Method-B is used to compute the vector D in (6) with modified matrix T in (8) based on the idea of circulant matrix in [7]. The proof of the following theorem can be found in Appendix B. Theorem 5. The matrix T is level-m circulant with type (2, 2,..., 2). }{{} m-times Method-B : From Theorems 1, 2, and 5 we have T = F diag(λ)f, (F F = I), (9) λ = F T(:, 1) 2 m, (10) and D = ( D(ˆq p 0 ),..., D(ˆq p 2m 1 )) = Tˆq = (F (diag(λ)(fˆq))). Applying the Fast Fourier Transform three times for F, diag(λ), and F we get all the values D(ˆq p w ), for all w V m. The complexity is 3m2 m. 5 Efficiency of the Improved Algorithm The improved algorithm works as follows: Input of offline stage: m linear approximations g 1,..., g m and p.d. p and ρ(a) of g, for all a V m. Offline stage: Step 1: Compute N by (7). Step 2: Compute the eigenvalue vector λ of matrix T based on (10) and p. Input of online stage : N samples (X, Y ). Online stage : Step 1 Distillation: Compute empirical p.d. ˆq of h from N by Method-A. Step 2 Analysis: From λ and ˆq, compute vector D by Method-B. Step 3 Sorting: Sort the key classes w with D(ˆq p w ) in descending order. Step 4 Searching: Choose the correct key class as the first element in the sorted list. The improved results are presented in Table 2 to compare with previous results on the complexities of the distillation phase and the analysis phase, following [10]. In practise mn is always larger than 2m2 m, and we estimate O(2m2 m + mn) = O(mN). Following the definitions of N s.i. and N plain in [10], N < N s.i. < N plain, m < m (also see Table 4.1), we have significant improvement in the time complexities for the distillation phase and the analysis phase. In addition, we have proved that the multidimensional algorithm 1 requires fewer samples than Biryukov et al.[2]. The same result was observed in [10] with only empirical evidence.

12 On Multidimensional Linear Cryptanalysis 11 Distillation Phase Analysis Phase Plain Biryukov Hermelin Method-A Plain Biryukov Hermelin Method-B Data O(N plain ) O(N s.i) O(N) O(N) Time O(mN plain ) O(m N s.i) O(2 m N) O(mN) O(m2 m ) O(m 2 m ) O(2 2m ) O(m2 m ) Mem O(m) O(m ) O(2 m ) O(2 m ) O(2 m ) O(2 m ) O(2 m ) O(2 m ) Table 2. Complexity comparison between different algorithms 6 Application to Cryptanalysis In this section we apply the improved algorithm to reduced-round Serpent and derive the attack complexities. We derive attack scenarios by using 4-round and 9-round linear characteristics used in [10] and [4] to show that the improvement made in this paper can improve previous cryptanalysis by many orders of magnitude. 6.1 Application to the 4-round Serpent Scenario In [7] 64 approximations were used to obtain 10 parity bits of 4-round Serpent, from S 4 to S 7. The approximations are modified from the first 4 rounds of the 6-round linear characteristic of [4], with the details described in [5]. As shown in [10], these approximations used are not linearly independent in text masks and key masks. There are 8 of them with correlation in magnitude of 2 11 and 56 of This gives an overall capacity of 4 63 i=0 ɛ i = hence estimation of 4m/4 m i=1 ɛ2 i = for N. By selecting a basis of 10 approximations L 0,..., L 9 from the 64, where L i is u i X w 0 Y c i K = 0, Hermelin et al. [10] studied all the approximations generated as in span{l 0,..., L 9 }. Of the 1023 combinations, 8, 64 and 128 are with non-negligible correlation in magnitude of 2 11, 2 12 and 2 13, respectively. Lemma 2 gives capacity C(p q) of at least 2 a 0 ρ2 (a) = 2 ( ) = 2 16 and hence the estimation for N is 4m/C(p q) = , in perfect correspondence to the experimental results in [10]. With Method-A and Method-B, we can set m = 16, yielding an attack with better complexity than the multidimensional Alg. 1 of [10] with m = 10. The approximations L 0,..., L 9 are derived from the same linear characteristic with input masks u 0,..., u 9 and the same output mask w 0. We obtain 6 additional ciphertext masks w 1,..., w 6 and use the following 16 approximations as base approximations: (u 0, w 0 ),..., (u 9, w 0 ), (u 1, w 1 ),..., (u 1, w 6 ). An exhaustive check of all combined correlations shows that 32, 384, 1664, 3072 and 2048 of the combined approximations have correlation in magnitude of 2 11, 2 12, 2 13, 2 14 and 2 15 respectively. This gives a capacity of , hence we estimate N 4m/C(p q) = We tabulate the comparisons in Table 3. From the table we can conclude that it is clearly advantageous to be able to have a larger m, i.e., when using m = 16 instead of m = 10, in the case of Serpent. A larger m

13 12 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling in this case makes it possible to have a larger number of non-negligible approximations, hence larger capacity, which implies reduced data complexity thus the overall time complexity. Setting m = 16 improves the cryptanalysis due to the fact that the number of non-negligible approximations in Serpent is exponential in m. It may appear that the attack is slower with a larger m. However, in fact, it is the reduction in data complexity N that dominates the time complexity, so we obtain a faster attack. Essentially, this is a trade-off and it is always meaningful to find an appropriate m for a block cipher to produce optimal attack complexity. However, by our experiments, in the case of DES, the number of high probability approximations is much fewer than that of Serpent, so larger values of m do not give better results than fewer approximations. We believe that SPN block ciphers with small S-boxes are more likely to be vulnerable to our attack. m C(p q) N Distillation Phase Analysis Phase Memory Hermelin et al. [10] This paper Hermelin et al. [10] This paper Table 3. Attack complexities on 4-round Serpent 6.2 Multidimensional Linear Cryptanalysis of 9-round Serpent We take the 9-round linear characteristic of [4], where the details are described in [5]. This linear characteristic starts from S 3 and ends after the next S 3, with correlation The first round has 11 active S-boxes, which results in a correlation of 2 11 and the remaining 8 rounds with correlation By modification to the input masks, there is a total of masks, with the magnitude of first round correlation from 2 11 to By picking 44 independent base input masks, we can expect to have around out of the 2 44 combined approximations giving non-negligible correlations. We can exploit the huge number of approximations by a 44-dimensional attack, with capacity 11 ( ) 11 C(p q) = 2 [ 2 i 8 11 i ((2 1 ) i (2 2 ) 11 i ) 2 ] (2 38 ) 2 = 2 75 i i=0 which is 2 22 times larger than the capacity 2 98 for the single approximation scenario. Correspondingly the estimation for N is 4m/C(p q) = The time complexity for the distillation phase is 2 88 and the analysis phase is Around 2 44 memory are needed. In [4], this 9-round linear characteristic is used to break a 10-round and an 11-round Serpent with Matsui s Alg. 2 extended with multiple approximations. It requires at least 2 99 known-plaintext which is much higher

14 On Multidimensional Linear Cryptanalysis 13 than our estimation. Moreover, the time complexities presented in [4] did not take into account the distillation phase, which should require no lower than mn which is greater than Hence, it is much higher than our overall time complexity Comparing with extensions of Alg. 2, a disadvantage of Alg. 1 is that an r-round linear characteristic can be used to attack an r-round block cipher. However, it is noted in [7] that optimal application of Algorithm 2 with multiple approximations requires accurate estimation of the biases, which can be unreliable if multiple linear characteristics exist with non-negligible probability under the same text mask. Intuitively, Alg. 1 is likely to give more reliable estimation for theoretical cryptanalysis. 7 Conclusions In this paper, we have presented a new formula for N, in terms of ρ(a) and m, for the Z -ary hypothesis testing problem in the multidimensional generalization of Matsui s Algorithm 1 in [10]. The number of known plaintext needed can now be computed from ρ(a) directly, whereas it is harder to compute min w 0 C(p 0, p w ) in the original formula (5). Method-A and Method-B have been presented to compute the empirical distribution and Kullback-Leibler distance, as improvements to the multidimensional Alg. 1 in [10]. A significant reduction of time complexity in the distillation and analysis phases can be achieved. Breaking these bottlenecks allows many more base approximations to be used. As shown in the case of 4- and 9-round Serpent, the increase in m brings significant reduction on the data complexity and the time complexity. We expect this improved algorithm to outperform previous multiple linear cryptanalysis. We observed that the framework of Hermelin et al. [10], with our improvement, solves the problem of Biryukov et al. [2] that the statistical independence assumption cannot in general be guaranteed in practice, and in fact, does not need to be guaranteed, because there exists a large number of combined approximations with non-negligible correlations. Meanwhile, the series of experiments in [4] and [7] provide excellent examples for this argument. It also implies that, for block cipher designs, bounding the maximum correlation for any single linear characteristic is not sufficent to claim security. Especially for SPN block ciphers with small S-boxes, a single linear trail with multiple active S-boxes in the first or last round can be modified to have many approximations, exponential in the number of active S-boxes of outer rounds. When these approximations are with similar magnitude of correlations, multidimensional linear cryptanalysis as a systematic way to exploit these combined correlations can reduce the attack complexity greatly. It s worthy for designers to have larger security margins or to try to develop specific mechanisms to prevent an attacker from forming an exponential number of valid linear approximations.

15 14 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling Acknowledgements We thank Joo Yeon Cho for providing the linear approximations used in [10]. This reserach is supported by the Singapore National Research Foundation under Research Grant NRF-CRP and the Singapore Ministry of Education under Research Grant T206B2204. The first author is supported by the Singapore International Graduate (SINGA) Scholarship. References 1. Eli Biham, Orr Dunkelman, and Nathan Keller. Linear Cryptanalysis of Reduced Round Serpent. In Mitsuru Matsui, editor, Fast Software Encryption, volume 2355 of Lecture Notes in Computer Science, pages Springer, Alex Biryukov, Christophe De Cannière, and Michaël Quisquater. On Multiple Linear Approximations. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages Springer, Joo Yeon Cho, Miia Hermelin, and Kaisa Nyberg. A New Technique for Multidimensional Linear Cryptanalysis with Applications On Reduced Round Serpent. In Pil Joong Lee and Jung Hee Cheon, editors, ICISC, volume 5461 of Lecture Notes in Computer Science, pages Springer, Baudoin Collard, François-Xavier Standaert, and Jean-Jacques Quisquater. Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent. In Dingyi Pei, Moti Yung, Dongdai Lin, and Chuankun Wu, editors, Inscrypt, volume 4990 of Lecture Notes in Computer Science, pages Springer, Baudoin Collard, François-Xavier Standaert, and Jean-Jacques Quisquater. Improved and Multiple Linear Cryptanalysis of Reduced Round Serpent - Description of the Linear Approximations, Unpublished manuscript. 6. Baudoin Collard, François-Xavier Standaert, and Jean-Jacques Quisquater. Improving the Time Complexity of Matsui s Linear Cryptanalysis. In Kil-Hyun Nam and Gwangsoo Rhee, editors, ICISC, volume 4817 of Lecture Notes in Computer Science, pages Springer, Baudoin Collard, François-Xavier Standaert, and Jean-Jacques Quisquater. Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent. In Kaisa Nyberg, editor, Fast Software Encryption, volume 5086 of Lecture Notes in Computer Science, pages Springer, Thomas H. Cormen, Clifford Stein, Ronald L. Rivest, and Charles E. Leiserson. Introduction to Algorithms. McGraw-Hill Higher Education, Yvo Desmedt, editor. Advances in Cryptology - CRYPTO 94, 14th Annual International Cryptology Conference, Santa Barbara, California, USA, August 21-25, 1994, Proceedings, volume 839 of Lecture Notes in Computer Science. Springer, Miia Hermelin, Joo Yeon Cho, and Kaisa Nyberg. Multidimensional Linear Cryptanalysis of Reduced Round Serpent. In Yi Mu, Willy Susilo, and Jennifer Seberry, editors, ACISP, volume 5107 of Lecture Notes in Computer Science, pages Springer, Burton S. Kaliski Jr. and Matthew J. B. Robshaw. Linear Cryptanalysis Using Multiple Approximations. In Desmedt [9], pages Mitsuru Matsui. Linear Cryptanalysis Method for DES Cipher. In Tor Helleseth, editor, EUROCRYPT, volume 765 of Lecture Notes in Computer Science, pages Springer, 1993.

16 On Multidimensional Linear Cryptanalysis Mitsuru Matsui. The First Experimental Cryptanalysis of the Data Encryption Standard. In Desmedt [9], pages R. K. Rao Yarlagadda and John E. Hershey. Hadamard Matrix Analysis and Synthesis: with Applications to Communications and Signal/image Processing. Kluwer Academic Publishers, Norwell, MA, USA, Appendix A Proof For Lemma 2 Proof. Let g = (g 1,..., g m ) and given ρ(a), for all a V m, from (2), (3) 2 m ( p 2 η) = ρ 2 (a). We have 2 facts: p 0 = p and p w is a permutation of p. From (1), we replace p 0 and p w by p, q respectively in (5). Define u = max{q η, η V m } = max{p η, η V m }. Then C(p q) = (p η q η )2 1 (p 2 η + qη 2 2p η q η ). q η u η V m η V m We have q η u 1 q η u 1. Since q is a permutation of p: p η = 1 and p 2 η = qη. 2 η V m η V m η V m Hence From (3), so that 1 (p 2 η + qη 2 2p η q η ) = 2 u u ( p 2 q η η) 2 u p η η V m η V m η V m 2 2 m a V m ρ 2 (a) u = 2 2 m a V m ρ 2 (a) u u = max{p η } 2 m ( C(p q) 2 a V m ρ 2 (a) a V m ρ(a) a V m ρ(a) ), 2. 2( 2. η V m p η )

17 16 Phuong Ha Nguyen, Lei Wei, Huaxiong Wang, and San Ling In practice, since ρ(0) = 1 and ρ(a) 1, a 0, we have a V m ρ(a) 1. Hence C(p q) 2 ρ 2 (a). a V m\{0} B Proof For Theorem 5 Proof. The structure of the modified matrix T 2m 2 m is log(p 0 0) log(p 0 1) log(p 0 2 1) m log(p 1 0) log(p 1 0) log(p 1 2 1) m log(p 2m 1 0 ) log(p 2m 1 1 ) log(p 2m 1 2 m 1 ) From the relation between p w ( w 0) and p 0 = p: p w i = ( 1) a(w i) ρ(a) = ( 1) aj ρ(a) = p j, a V m a V m where j = w i. Hence, log(p w i ) = log(p j), j = w i. It means that T (w, i) = T (0, j) = T (0, w i). Divide T into 4 blocks, each with size (2 m 1 2 m 1 ): ( ) T11 T12. T 21 T22 Then for 0 i, j 2 m 1 1: - T 11 (i, j) = T (i, j) = T (0, i j), - T 21 (i, j) = T (i + 2 m 1, j) = T (0, (i + 2 m 1 ) j) = T (0, i j 2 m 1 ), - T 12 (i, j) = T (i, j + 2 m 1 ) = T (0, i (j + 2 m 1 )) = T (0, (i + 2 m 1 ) j), - T 22 (i, j) = T (i+2 m 1, j+2 m 1 ) = T (0, (i+2 m 1 ) (j+2 m 1 )) = T (0, i j). Consequently, T11 = T 22 and T 12 = T 21, hence T is 2-block circulant. We can inductively repeat the same argument to T 11 with m = m 1. Since T 12 = T 11 2 m 1, the structure of T12 is similar to the circulant structure of T11. Hence, the matrix T is level-m circulant with type (2, 2,..., 2). }{{} m-times

Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis

Improving the Algorithm 2 in Multidimensional Linear Cryptanalysis Phuong Ha Nguyen, Hongjun Wu, and Huaxiong Wang Division of Mathematical Sciences, School of Physical and Mathematical Sciences Nanyang